On Thu, Jan 15, 2026 at 9:48 AM Máirín Duffy via legal < [email protected]> wrote:
> Hi Fedora Legal! 👋 > > I have a question about two packages in Fedora that are dependencies for > goose, which our (Rodolfo and I's) team are working on packaging for > Fedora. They are: > > > - *constant_time_eq* - > https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ > - *tiny-keccak - * > https://packages.fedoraproject.org/pkgs/rust-tiny-keccak > > *constant_time_eq*'s upstream states it may be used under CC0, Apache > 2.0, or MIT at the user's option: > https://github.com/cesarb/constant_time_eq (see README) > > *tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak > > Goose is built in Rust, and we're looking at packaging it as a bundle and > vendoring dependencies like these. They already exist in Fedora, but not > sure what the policy is on pre-existing libraries like these. > > Questions: > > - Assuming just because these are already packaged in Fedora, doesn't mean > they're ok to vendor in another Fedora package. Correct? > That is correct. If you're pulling them in normally, they are covered by the grandfather clause for now, but new stuff (including vendoring) will need fixes. > - Can we use one of the other licenses for *constant_time_eq* which are > acceptable for Fedora packages? Or are there any concerns there? > As it is multi-licensed, there's no concern. In practice we'd just consider CC0 a null option. > - Do you have any advice on how to handle *tiny-keccak*'s license? > > Ask the upstream to change to a suitable alternative? Usually I suggest MIT instead. If they accept the change, then you can pull that back into Fedora. -- 真実はいつも一つ!/ Always, there's only one truth!
-- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
